From: martin@martinorr.name (Martin Orr)
Date: Wed, 1 Oct 2008 00:15:56 +0100
Subject: [refpolicy] debian policy patch
In-Reply-To: <200809292032.13348.russell@coker.com.au>
References: <200809292032.13348.russell@coker.com.au>
Message-ID: <20080930231556.GA5575@caligula.martinorr.name>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Sep 29, 2008 at 08:32:12PM +1000, Russell Coker wrote:
> The attached patch against the latest subversion tree strictly applies to 
> Debian related things.
> 
> -- 
> russell at coker.com.au
> http://etbe.coker.com.au/          My Blog
> 
> http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

> diff -ruw policy/modules/admin/acct.fc /tmp/new-pol/modules/admin/acct.fc
> --- policy/modules/admin/acct.fc	2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/acct.fc	2008-09-29 20:15:54.000000000 +1000
> @@ -5,4 +5,9 @@
>  
>  /usr/sbin/accton	--	gen_context(system_u:object_r:acct_exec_t,s0)
>  
> +ifdef(`distro_debian',`
> +/var/log/account(/.*)?  gen_context(system_u:object_r:acct_data_t,s0)
> +', `
>  /var/account(/.*)?		gen_context(system_u:object_r:acct_data_t,s0)
> +')
> +
> diff -ruw policy/modules/admin/alsa.fc /tmp/new-pol/modules/admin/alsa.fc
> --- policy/modules/admin/alsa.fc	2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/alsa.fc	2008-09-29 20:15:54.000000000 +1000
> @@ -1,9 +1,19 @@
> +
> +/etc/alsa/pcm(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/etc/asound(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)

This leaves two copies of the above lines in the file.

>  /bin/alsaunmute		--	gen_context(system_u:object_r:alsa_exec_t,s0)
>  
> +ifdef(`distro_debian', `
> +/var/lib/alsa/asound\.state	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/usr/share/alsa/pcm(/.*)?	      gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +', `
>  /etc/alsa/asound\.state --	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
>  /etc/alsa/pcm(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
>  /etc/asound(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
>  /etc/asound\.state	--	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +')
> +
>  
>  /sbin/alsactl 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
>  /sbin/salsa 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
> diff -ruw policy/modules/admin/apt.fc /tmp/new-pol/modules/admin/apt.fc
> --- policy/modules/admin/apt.fc	2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/apt.fc	2008-09-29 20:15:54.000000000 +1000
> @@ -12,5 +12,10 @@
>  /var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
>  /var/lib/aptitude(/.*)?		gen_context(system_u:object_r:apt_var_lib_t,s0)
>  
> +# aptitude lock
> +/var/lock/aptitude			gen_context(system_u:object_r:apt_lock_t,s0)
> +# aptitude log
> +/var/log/aptitude			gen_context(system_u:object_r:apt_var_log_t,s0)
> +
>  # dpkg terminal log
>  /var/log/apt(/.*)?			gen_context(system_u:object_r:apt_var_log_t,s0)
> diff -ruw policy/modules/admin/apt.if /tmp/new-pol/modules/admin/apt.if
> --- policy/modules/admin/apt.if	2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/apt.if	2008-09-29 20:15:54.000000000 +1000
> @@ -73,6 +73,25 @@
>  
>  ########################################
>  ## <summary>
> +##	Do not audit attempts to use file descriptors from apt.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process attempting performing this action
> +##      which should not be audited.
> +##	</summary>
> +## </param>
> +#
> +interface(`apt_dontaudit_use_fds',`
> +	gen_require(`
> +		type apt_t;
> +	')
> +
> +	dontaudit $1 apt_t:fd use;
> +')

Unnecessary interface - see comment below where it's used.

> +
> +########################################
> +## <summary>
>  ##	Read from an unnamed apt pipe.
>  ## </summary>
>  ## <param name="domain">
> @@ -129,6 +148,27 @@
>  
>  ########################################
>  ## <summary>
> +##	Read the apt package cache.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +interface(`apt_read_cache',`
> +	gen_require(`
> +		type apt_var_cache_t;
> +	')
> +
> +	files_search_var($1)
> +	allow $1 apt_var_cache_t:dir list_dir_perms;
> +	dontaudit $1 apt_var_cache_t:dir write;
> +	allow $1 apt_var_cache_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Read the apt package database.
>  ## </summary>
>  ## <param name="domain">
> diff -ruw policy/modules/admin/apt.te /tmp/new-pol/modules/admin/apt.te
> --- policy/modules/admin/apt.te	2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/apt.te	2008-09-29 20:15:54.000000000 +1000
> @@ -30,6 +30,11 @@
>  type apt_var_cache_t alias var_cache_apt_t;
>  files_type(apt_var_cache_t)
>  
> +# aptitude lock file
> +type apt_lock_t;
> +files_lock_file(apt_lock_t)
> +
> +# aptitude log file
>  type apt_var_log_t;
>  logging_log_file(apt_var_log_t)
>  
> @@ -53,6 +58,9 @@
>  allow apt_t self:msgq create_msgq_perms;
>  allow apt_t self:msg { send receive };
>  
> +# Run update
> +allow apt_t self:netlink_route_socket r_netlink_socket_perms;
> +
>  # Access /var/cache/apt files
>  manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
>  files_var_filetrans(apt_t, apt_var_cache_t, dir)
> @@ -72,6 +80,14 @@
>  manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
>  files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
>  
> +# lock files
> +allow apt_t apt_lock_t:dir manage_dir_perms;
> +allow apt_t apt_lock_t:file manage_file_perms;
> +files_lock_filetrans(apt_t, apt_lock_t, {dir file})
> +
> +# log files
> +allow apt_t apt_var_log_t:file manage_file_perms;
> +
>  kernel_read_system_state(apt_t)
>  kernel_read_kernel_sysctls(apt_t)
>  
> @@ -114,9 +130,15 @@
>  libs_exec_lib_files(apt_t)
>  
>  logging_send_syslog_msg(apt_t)
> +logging_log_filetrans(apt_t, apt_var_log_t, file)
>  
>  miscfiles_read_localization(apt_t)
>  
> +# this is not particularly nice.
> +# maybe add a type for ~/.aptitude instead.
> +userdom_manage_all_users_home_content_files(apt_t)
> +userdom_manage_all_users_home_content_dirs(apt_t)
> +
>  seutil_use_newrole_fds(apt_t)
>  
>  sysnet_read_config(apt_t)
> @@ -127,6 +149,10 @@
>  #')
>  
>  optional_policy(`
> +	pythonsupport_domtrans(apt_t)
> +')

This patch doesn't contain the pythonsupport_domtrans interface.

> +
> +optional_policy(`
>  	# dpkg interaction
>  	dpkg_read_db(apt_t)
>  	dpkg_domtrans(apt_t)
> diff -ruw policy/modules/admin/bootloader.fc /tmp/new-pol/modules/admin/bootloader.fc
> --- policy/modules/admin/bootloader.fc	2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/bootloader.fc	2008-09-29 20:15:54.000000000 +1000
> @@ -2,6 +2,15 @@
>  /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
>  /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
>  
> +
> +# Debian puts grub in /usr/sbin/grub
> +ifdef(`distro_debian',`
> +/usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/etc/mkinitrd/scripts/.* --	gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/usr/sbin/mkinitrd	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/sbin/mkinitrd		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
> +',`
>  /sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
> +')
>  /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
>  /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
> diff -ruw policy/modules/admin/dmesg.te /tmp/new-pol/modules/admin/dmesg.te
> --- policy/modules/admin/dmesg.te	2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/dmesg.te	2008-09-29 20:15:54.000000000 +1000
> @@ -52,7 +52,9 @@
>  
>  userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
>  
> +optional_policy(`
>  sysadm_use_terms(dmesg_t)
> +')
>  
>  optional_policy(`
>  	seutil_sigchld_newrole(dmesg_t)
> diff -ruw policy/modules/admin/dpkg.te /tmp/new-pol/modules/admin/dpkg.te
> --- policy/modules/admin/dpkg.te	2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/dpkg.te	2008-09-29 20:15:54.000000000 +1000
> @@ -67,6 +67,16 @@
>  allow dpkg_t self:msgq create_msgq_perms;
>  allow dpkg_t self:msg { send receive };
>  
> +# This is for se_aptitude et al, so that maintainer scripts can talk back.
> +apt_use_fds(dpkg_script_t)
> +apt_rw_pipes(dpkg_script_t)

Already in an optional_policy block.

> +
> +# This is for the maintainer scripts
> +init_use_script_fds(dpkg_script_t)
> +
> +# se_apt-get needs this to run dpkg-preconfigure
> +init_use_script_ptys(dpkg_t)

Why are you pulling these out of their proper alphabetical order?

> +
>  allow dpkg_t dpkg_lock_t:file manage_file_perms;
>  
>  manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
> @@ -150,7 +160,6 @@
>  files_exec_etc_files(dpkg_t)
>  
>  init_domtrans_script(dpkg_t)
> -init_use_script_ptys(dpkg_t)
>  
>  libs_use_ld_so(dpkg_t)
>  libs_use_shared_libs(dpkg_t)
> @@ -167,11 +176,15 @@
>  sysnet_read_config(dpkg_t)
>  
>  userdom_use_unpriv_users_fds(dpkg_t)
> +allow userdomain dpkg_var_lib_t:dir list_dir_perms;
> +allow userdomain dpkg_var_lib_t:file read_file_perms;

Encapsulation violation: should use dpkg_read_db.

>  
>  # transition to dpkg script:
>  dpkg_domtrans_script(dpkg_t)
> -# since the scripts aren't labeled correctly yet...
> +# since the scripts are not labeled correctly yet...
>  allow dpkg_t dpkg_var_lib_t:file execute;
> +# This is used for running config files for debconf interactions
> +allow dpkg_t dpkg_tmp_t:file { execute execute_no_trans };
>  
>  optional_policy(`
>  	apt_use_ptys(dpkg_t)
> @@ -295,7 +308,6 @@
>  auth_manage_all_files_except_shadow(dpkg_script_t)
>  
>  init_domtrans_script(dpkg_script_t)
> -init_use_script_fds(dpkg_script_t)
>  
>  libs_use_ld_so(dpkg_script_t)
>  libs_use_shared_libs(dpkg_script_t)
> diff -ruw policy/modules/kernel/devices.fc /tmp/new-pol/modules/kernel/devices.fc
> --- policy/modules/kernel/devices.fc	2008-09-10 09:05:48.000000000 +1000
> +++ /tmp/new-pol/modules/kernel/devices.fc	2008-09-29 20:15:54.000000000 +1000
> @@ -1,5 +1,12 @@
>  
>  /dev			-d	gen_context(system_u:object_r:device_t,s0)
> +ifdef(`distro_debian',`
> +# this is a static /dev dir "backup mount"
> +# if you want to disable udev, you'll have to boot permissive and relabel!
> +/dev/\.static	-d		gen_context(system_u:object_r:device_t,s0)
> +/dev/\.static/dev	-d		gen_context(system_u:object_r:device_t,s0)
> +/dev/\.static/dev/(.*)?		<<none>>
> +')
>  /dev/.*				gen_context(system_u:object_r:device_t,s0)
>  
>  /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
> diff -ruw policy/modules/kernel/files.fc /tmp/new-pol/modules/kernel/files.fc
> --- policy/modules/kernel/files.fc	2008-09-10 09:05:48.000000000 +1000
> +++ /tmp/new-pol/modules/kernel/files.fc	2008-09-29 20:15:54.000000000 +1000
> @@ -252,4 +252,7 @@
>  
>  ifdef(`distro_debian',`
>  /var/run/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
> +# on Debian /lib/init/rw is a tmpfs used like /var/run but
> +# before /var is mounted
> +/lib/init/rw		-d	gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
>  ')
> diff -ruw policy/modules/kernel/files.te /tmp/new-pol/modules/kernel/files.te
> --- policy/modules/kernel/files.te	2008-09-10 09:05:48.000000000 +1000
> +++ /tmp/new-pol/modules/kernel/files.te	2008-09-29 20:15:54.000000000 +1000
> @@ -174,6 +174,10 @@
>  #
>  type var_run_t;
>  files_pid_file(var_run_t)
> +ifdef(`distro_debian', `
> +# for /lib/init/rw
> +typeattribute var_run_t mountpoint;
> +')
>  
>  #
>  # var_spool_t is the type of /var/spool
> diff -ruw policy/modules/services/dcc.fc /tmp/new-pol/modules/services/dcc.fc
> --- policy/modules/services/dcc.fc	2008-09-10 09:06:01.000000000 +1000
> +++ /tmp/new-pol/modules/services/dcc.fc	2008-09-29 20:16:09.000000000 +1000
> @@ -5,13 +5,27 @@
>  /usr/bin/cdcc			--	gen_context(system_u:object_r:cdcc_exec_t,s0)
>  /usr/bin/dccproc		--	gen_context(system_u:object_r:dcc_client_exec_t,s0)
>  
> +ifdef(`distro_redhat',`
>  /usr/libexec/dcc/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
>  /usr/libexec/dcc/dccd		--	gen_context(system_u:object_r:dccd_exec_t,s0)
>  /usr/libexec/dcc/dccifd		--	gen_context(system_u:object_r:dccifd_exec_t,s0)
>  /usr/libexec/dcc/dccm		--	gen_context(system_u:object_r:dccm_exec_t,s0)
> +')
> +ifdef(`distro_debian',`
> +/usr/sbin/dbclean               --	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
> +/usr/sbin/dccd		        --	gen_context(system_u:object_r:dccd_exec_t,s0)
> +/usr/sbin/dccifd		--	gen_context(system_u:object_r:dccifd_exec_t,s0)
> +/usr/sbin/dccm		        --	gen_context(system_u:object_r:dccm_exec_t,s0)
> +')
>  
> +ifdef(`distro_redhat',`
>  /var/dcc(/.*)?				gen_context(system_u:object_r:dcc_var_t,s0)
>  /var/dcc/map			--	gen_context(system_u:object_r:dcc_client_map_t,s0)
> +')
> +ifdef(`distro_debian',`
> +/var/lib/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_t,s0)
> +/var/lib/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
> +')
>  
>  /var/run/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_run_t,s0)
>  /var/run/dcc/map		--	gen_context(system_u:object_r:dcc_client_map_t,s0)
> diff -ruw policy/modules/services/ldap.fc /tmp/new-pol/modules/services/ldap.fc
> --- policy/modules/services/ldap.fc	2008-09-10 09:06:01.000000000 +1000
> +++ /tmp/new-pol/modules/services/ldap.fc	2008-09-29 20:16:09.000000000 +1000
> @@ -1,10 +1,11 @@
>  
>  /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
>  
> -/usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
> -
> +# Debian and Ubunto place slapd in a different location
>  ifdef(`distro_debian',`
>  /usr/lib/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
> +', `
> +/usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
>  ')

This is no longer correct: Debian now has /usr/sbin/slapd.

>  
>  /var/lib/ldap(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
> diff -ruw policy/modules/services/nagios.fc /tmp/new-pol/modules/services/nagios.fc
> --- policy/modules/services/nagios.fc	2008-09-10 09:06:01.000000000 +1000
> +++ /tmp/new-pol/modules/services/nagios.fc	2008-09-29 20:16:09.000000000 +1000
> @@ -11,6 +11,7 @@
>  /var/log/netsaint(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
>  
>  ifdef(`distro_debian',`
> -/usr/sbin/nagios		--	gen_context(system_u:object_r:nagios_exec_t,s0)
> -/usr/lib/cgi-bin/nagios/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
> +/usr/sbin/nagios.*		--	gen_context(system_u:object_r:nagios_exec_t,s0)
> +/usr/lib/cgi-bin/nagios.?/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
> +/usr/lib/nagios3/cgi/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
>  ')
> diff -ruw policy/modules/services/portmap.fc /tmp/new-pol/modules/services/portmap.fc
> --- policy/modules/services/portmap.fc	2008-09-10 09:06:01.000000000 +1000
> +++ /tmp/new-pol/modules/services/portmap.fc	2008-09-29 20:16:09.000000000 +1000
> @@ -4,6 +4,7 @@
>  ifdef(`distro_debian',`
>  /sbin/pmap_dump		--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
>  /sbin/pmap_set		--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
> +/var/run/portmap_mapping --	gen_context(system_u:object_r:portmap_var_run_t,s0)
>  ', `
>  /usr/sbin/pmap_dump	--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
>  /usr/sbin/pmap_set	--	gen_context(system_u:object_r:portmap_helper_exec_t,s0)
> diff -ruw policy/modules/services/ssh.te /tmp/new-pol/modules/services/ssh.te
> --- policy/modules/services/ssh.te	2008-09-27 15:27:05.000000000 +1000
> +++ /tmp/new-pol/modules/services/ssh.te	2008-09-29 20:16:09.000000000 +1000
> @@ -55,6 +55,11 @@
>  	init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
>  ')
>  
> +ifdef(`distro_debian', `
> +# for key blacklist related to openssl bug
> +	allow sshd_t usr_t:file read_file_perms;
> +')
> +
>  #################################
>  #
>  # sshd local policy
> diff -ruw policy/modules/system/init.fc /tmp/new-pol/modules/system/init.fc
> --- policy/modules/system/init.fc	2008-09-10 09:06:03.000000000 +1000
> +++ /tmp/new-pol/modules/system/init.fc	2008-09-29 20:16:09.000000000 +1000
> @@ -15,6 +15,10 @@
>  /etc/vmware/init\.d/vmware --	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /etc/x11/startDM\.sh	--	gen_context(system_u:object_r:initrc_exec_t,s0)
>  ')
> +ifdef(`distro_debian',`
> +/var/run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/var/run/kdm/.*		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
> +')
>  
>  #
>  # /dev
> diff -ruw policy/modules/system/libraries.te /tmp/new-pol/modules/system/libraries.te
> --- policy/modules/system/libraries.te	2008-09-10 09:06:03.000000000 +1000
> +++ /tmp/new-pol/modules/system/libraries.te	2008-09-29 20:16:09.000000000 +1000
> @@ -90,6 +90,11 @@
>  
>  userdom_use_all_users_fds(ldconfig_t)
>  
> +optional_policy(`
> +	# This is needed for apt to get and install packages silently
> +        apt_dontaudit_use_fds(ldconfig_t)   
> +')

We already have apt_use_fds(ldconfig_t)

> +
>  ifdef(`distro_ubuntu',`
>  	optional_policy(`
>  		unconfined_domain(ldconfig_t)
> diff -ruw policy/modules/system/sysnetwork.fc /tmp/new-pol/modules/system/sysnetwork.fc
> --- policy/modules/system/sysnetwork.fc	2008-09-10 09:06:03.000000000 +1000
> +++ /tmp/new-pol/modules/system/sysnetwork.fc	2008-09-29 20:16:09.000000000 +1000
> @@ -22,6 +22,9 @@
>  /etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
>  ')
>  
> +ifdef(`distro_debian', `
> +/dev/shm/network(/.*)?			gen_context(system_u:object_r:net_conf_t,s0)
> +')
>  #
>  # /sbin
>  #
> diff -ruw policy/modules/system/udev.fc /tmp/new-pol/modules/system/udev.fc
> --- policy/modules/system/udev.fc	2008-09-10 09:06:03.000000000 +1000
> +++ /tmp/new-pol/modules/system/udev.fc	2008-09-29 20:16:09.000000000 +1000
> @@ -10,7 +10,11 @@
>  
>  /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
>  
> +ifdef(`distro_debian', `
> +/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
> +', `
>  /sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
> +')
>  /sbin/udev	--	gen_context(system_u:object_r:udev_exec_t,s0)
>  /sbin/udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
>  /sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)

-- 
Martin Orr